The author appears to accept Microsoft's mistake about password strength being directly related to the complexity of the password selected. This is simply not true!
The author is correct when he implies that some passwords may be easily guessed. Passwords that are easily associated with the person are suseptible to social engineering attacks and therefore are generally weaker than passwords that are not associated with the individual.
But the automated system used by Microsoft and some other companies to evaluate the "strength" of a password do not check for this kind of weakness and are useless - or even worse.
Lets say your were born on the fourth of July in 1976, your wife's name is Carol, and your dog's name is Spot.
All these systems will tell you that a password of CAROL or SPOT is very weak -- but these same systems will tell you that a password of 4July1976 is very strong because it contains a mix of upper and lower case letters and numbers. But, of course, all these passwords are actually weak ONLY because they are things a person might guess.
Now let's consider one more possible password. What would the system think about the strength of QWERTYUIOP as a password? I have not run that particular password by the password checker in this particular program, but other systems that use the same algorithim will report it as moderate -- complaining that it is only letters, but accepting that the length makes it stronger than passwords like SPOT and CAROL.
In point of fact, excluding "easily guessed" passwords, it is the complexity ALLOWED for a password that determines its strength, NOT the complexity of the password actually chosen.
There are four basic ways to attack a password:
1. Social Engineering - learn about the individual and try to guess something that he might choose as an easily remembered password. The only defense against this kind of attack is to not choose something that is directly associated with you individually.
2. Dictionary Attack - this is one of the two categories of automated attack - it consists of using a program that runs through every word in the dictionary looking for one that gets in. Some dictionary attack programs uses multiple language dictionaries. The best defense against this kind of attack is for system administrators to educate users to never use any single word as a password. But system administrators hardly ever believe in educating users, so most rely on password compexity rules to force users to include numbers of symbols in their passwords; I'v also seen one systemt that prohibits all vowels in passwords.
3. Brute Force Attack - this is the other category of automated attack. This sort of program just keeps trying every possible combination until it finds the right password. NO PASSWORD IS SAFE FROM A BRUTE FORCE ATTACK. Sooner or later such an attack will find the right password, it is only a question of time. The only defenses against a brute force attack are totally dependent on the software being attacked. The one way to defeat brute force attacks is to have a system that locks out a user after a preset number of incorrect password attempts. For this to work, the system must remember the count even when disconnected or shut down, otherwise the attacker can just run its attacks in small batches. The other defensive measure is for the system to impose a delay after unsuccessful password attempts. This will not completely block a brute force attack, but it can considerably increase the time required to crack a password, making it more likely that the attack will be discovered before it succeed.
4. The last method of cracking a password is another form of social engineering. It consists of looking around the person's desk, rolodex, etc for where he has the password written down! This system is surprisingly successful today because most business users find that they have to access too many different systems with different assigned User IDs and different rules about the password format. How many people can really remember ten to twenty different IDs and passwords, especailly when perhaps half those systems are used once a week or less?
